Routing is a function associated with the Network Layer (layer 3) in the Open Systems Interconnection (OSI) model which is the standard model of network programming. On a communication network (e.g., the Internet), a router is typically a device that determines the next network point to which a packet should be forwarded so that the packet can reach its destination. The router is located at any gateway of at least two different networks and permits the connected different networks to communicate with each other. A router creates and maintains a table of the available routes and their conditions, and use this information (along with distance and cost algorithms) to determine the best route for a given packet. Typically, a packet may travel through a number of network points with routers before arriving at its destination.
In an environment where IPV6 stateless address autoconfiguration is used, an IPV6 router is required to advertise its presences in a network, by transmitting an advertisement that has information about the network. The router advertises at periodic time intervals in order to indicate that it is the dedicated router for that particular network or which network addresses are associated with the link. Additionally, the dedicated router can answer to a query from a client by responding with an advertisement to the client. The advertisement function is typically performed by the central processing unit (CPU) of the router.
In an IPV6 (Internet Protocol Version 6) network, any device that can access a physical port (on a network device in the network) can intentionally or unintentionally become the designated router for a particular network. The IPV6 standard is described in, for example, <http://asg.web.cmu.edu/rfc/rfc2462.html> which is hereby fully incorporated herein by reference.
If the client on an IPV6 network uses stateless address autoconfiguration (RFC 2462) to obtain network related information, a security issue arises. Stateless address autoconfiguration (RFC 2462) requires no manual configuration of hosts, minimal configuration of routers, and no additional servers. The stateless mechanism allows a host to generate its own addresses using a combination of locally available information and information advertised by routers. Routers advertise prefixes that identify the subnet associated with a link, while hosts generate an interface identifier that uniquely identifies an interface on a subnet. An address is formed by combining the two (prefix and interface identifier).
Assuming the unauthorized device is an IPV6 routing capable device, then that unauthorized device can become the designated router by plugging that unauthorized device to a physical port on the network device. This scenario can be a potential network security problem and may cause networking problems in general. The unauthorized device can also advertise additional network prefixes and any client configured for autoconfiguration will automatically become a member of this network.
The unauthorized device intentionally becomes the designated router if a hacker connects that unauthorized device to a network port on the network device, and the unauthorized device advertises itself as the best route for the network. The clients will erroneously learn that the unauthorized device is the designated router for the network, based upon the advertisements from the unauthorized device, and the clients will then change their routes to go through the unauthorized device. Therefore, all packet traffic for a network segment is diverted to this unauthorized device that is acting as the designated router. This unauthorized device can then examine all packets through a monitor port and forward the packets to a particular destination that permits sniffing of the packet content. The sniffing of the packet contents can permit a hacker to obtain passwords, credit card information, and/or other confidential information of a network user or can permit the hacker to otherwise disrupt the operation of the network.
The unauthorized device unintentionally becomes the designated router if the unauthorized device is connected to the network device for purposes of testing, or is unintentionally connected to a port (of the network device) where the port is not configured. The unauthorized device can potentially become the default gateway for the network, but will not have any routes to the rest of the network because the unauthorized device is not the proper designated router. The host node (client) will use this unauthorized device as the designated router, but the host user will receive back a message from the unauthorized device, where the message indicates that the network is unreachable. Therefore, in this manner, the unauthorized device will disrupt the normal operation of the network, and this disruption will persist until the unauthorized device is removed from the network or the entries regarding this unauthorized device are aged out (i.e., the entries are automatically deleted after a particular amount of time).
In one possible approach for network security, RFC (Request For Comment) 2462 mentions that IPSEC (Internet Protocol Security) could be used for authentication in network communication. Only devices in the network that could pass this authentication can become part of the network. IPSEC is a framework for a set of protocols for security at the network or packet processing layer of network communication. IPSEC provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol. However, IPSEC is not yet widely used and is not available for all devices.
In one possible approach for network security, 802.1x (port based network access control) authentication may be used in network communication. However, this standard may not function in an IPV6 (Internet Protocol Version 6) network.
Therefore, the current technology is limited in its capabilities and suffers from at least the above constraints and deficiencies.